As financial institutions continue to respond to the challenges posed by COVID-19, the Financial Conduct Authority (FCA) has set out its expectations of how firms should be managing their business from a business continuity, operational resilience and recovery and resolution perspective. In addition, the FCA has required certain firms to submit copies of their business continuity plan (BCP), operational resilience framework (ORA) and recovery and resolution plan (RRP) (together, the contingency plans) for review.
In previous statements, the FCA emphasised the importance of proper planning, constant monitoring, quick reactions and proactive remediation in the event of business disruption and it is clear that they expect firms’ contingency plans to be capable of dealing with any future developments in the COVID-19 situation. Therefore, firms should be reviewing and updating their contingency arrangements to ensure that they are not only fit for the current climate but stand up to potential regulatory scrutiny.
This alert highlights some of the issues that firms should consider when reviewing and updating their contingency plans.
The requirement to maintain and update BCPs has been woven into various aspects of regulation and has typically formed one of the key supervisory pillars by which regulators such as the FCA monitor the ability of a firm to withstand adverse events.
The FCA expects the BCP to address a variety of topics, covering: resource requirements, recovery priorities for each of the firm’s operations, stakeholder communications plans, escalation and invocation plans, the integrity of management information, and regular BCP testing. Factors that firms should take into account when reviewing, updating and implementing their BCPs include:
- Has the firm drafted and implemented a BCP?
- Has the firm identified all of its business resources and assets that need to form the subject of, or be included in, the BCP? Resources would include staff, real estate, technology, business lines and control functions.
- Has the BCP been reviewed by the board during the COVID-19 period?
- Have adequate reporting lines been set up to support the provision of management information in a timely and effective manner? How are these to operate in times of remote working?
- Have any barriers arisen that have impeded the firm’s ability to prudently and efficiently implement the BCP during the COVID-19 period?
- Does the firm’s BCP account for both short-term and long-term impacts? For instance, does the BCP address extended periods of working from home?
- Are senior management and other members of staff aware of their responsibilities under the BCP? Does the BCP account for senior management and staff absences?
- Are reportable events (e.g., potential breaches of FCA rules) and reporting lines identified such that management are aware of the circumstances, timeframes and methods in and by which to engage openly and honestly with regulators?
- Can the firm identify in short order impacted customers and third parties (whether service providers or otherwise) and is there a communications plan to engage with them?
- Has the firm assessed the impact of business disruption on customers and is it clear that the relevant contingency measures are appropriate to meet the firm’s obligations towards clients? For instance, can the customer access the firm’s switchboards in a fair timeframe when staff employed to operate those switchboards are working from home?
- Would the firm’s testing methodology to date be robust in replicating disruption scenarios? As an example, has testing included extended periods of working from home, and ensuring that both operating systems and control functions are effective in these circumstances?
- Have senior management and staff been trained in what to expect, and what is expected of them, in executing the BCP? Have changes to the BCP been communicated to staff?
Supplementing the high-level requirements of BCPs are more specific requirements relating to ensuring the integrity and continuity of outsourced services, whether they are critical, important or non-critical. Both the FCA and European Banking Authority (EBA) have issued detailed guidance in this area, which firms should take into account, particularly considering that firms remain responsible for the provision of the services they outsource. Issues to address include:
- Has the firm performed a business impact analysis that analyses exposures to a broad range of disruption, ranging from minor impacts on certain areas to severe impacts on multiple operational areas?
- Have business functions and their supporting processes, third parties and information assets, as well as the interdependencies of these, been mapped?
- Have any contingency plans been approved by relevant management stakeholders and is there a record of each stakeholder considering interdependencies between their area of responsibility and others?
- What are the potential impacts on confidentiality, and data integrity and availability, and have these been quantitatively and qualitatively assessed?
- Are there clear recovery timeframes pegged to the BCP for each operation?
- Is the BCP available on a system that is physically separated and readily accessible in case required?
- Are there effective communication lines between the senior management at the firm and those of the supplier? Are there robust and practical monitoring arrangements in place so the firm can ensure the proper provision of the outsourced service?
- Are suppliers to whom the firm has outsourced material functions aware of their obligations to deal in an open and cooperative manner with the firm’s regulators (this is particularly relevant for third country service providers)? Does the supplier contract reflect this and any other regulatory obligations? Do outsourcing agreements and service-level agreements set out risk-mitigating measures to be taken by either side?
- Has the firm identified intragroup arrangements within its control and supervision, and how has the firm dealt with the unavailability of those services, both for itself and reliant group entities?
- Does the BCP envisage that a service provider is unable to meet its obligations and does it take into account wider impacts to providers in that industry, such that alternative arrangements would need to be made?
- Has the firm learnt of any additional material outsourcing arrangements from its COVID-19 response? Has the FCA been made aware of this?